Script to find all the interfaces having ip address from the node to push particular command on that interface
↧
Need config script to get the interfaces having ip addresses
↧
Everything DISA STIGs for your Network
Introduction
This page will be the Main Page for all DISA STIG information provided by CourtesyIT. The intent is to follow this page to alert you to new content and discussions about being DISA STIG Compliant. Please feel free to message me if you would like any STIG\Vendors packages developed that are not listed here.
This page is not endorsed by DISA or Solarwinds, but merely one interpretation of the requirements. Community involvement is encouraged.
Directory
1. Getting Started
This link will be to discuss ways to get started and how this process and capability can work for you.
How to Use the Compliance Feature in Solarwinds.pdf
How to Create a Policy Report.pdf
2. How to Create a STIG Dashboard and View
This link will provide a document for you to download and build a Dashboard to show your success with the NCM Compliance feature.
3. Reports by Vendor
These links will be based on Vendor STIGs. For best results, please download these reports through NCM. Navigate via Configs Tab > Compliance > Manage Policy Reports > Shared on Thwack Tab.
Dell
4. RAW DATA
This text document is the raw data for all the rules. This document can be used as a policy or baseline for all rules in the event submission is required for the coding and configuration of you Compliance Solution.
RAW DATA DISA STIG V8R19 - Cisco
5. DISA STIG Matrix
This document is a matrix to validate which rules are applied to which type of functional device.
6. Other Customization's
This link is a random sampling of various customization's I found through some Thwackers Content pages.
How to do various customizations with your Solarwinds
..........................................................................
.........................................................................
..........................................................................
.LivingDocument. PleaseBookmark.
↧
↧
Cipher protocols supported by NCM SSH
FYI, just hit an issue following the upgrade of the OS on some of our fortigate boxes [due to the backdoor password discovery] where the ssh provided in NCM 7.3.x doesn't have an agreeable set of cipher protocols.. which leads to non-SSH connection:
Server (firewall) Algorithms
kex_algorithms length: 61
kex_algorithms string: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
server_host_key_algorithms length: 15
server_host_key_algorithms string: ssh-rsa,ssh-dss
encryption_algorithms_client_to_server length: 135
encryption_algorithms_client_to_server string: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
encryption_algorithms_server_to_client length: 135
encryption_algorithms_server_to_client string: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
mac_algorithms_client_to_server length: 85
mac_algorithms_client_to_server string: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
mac_algorithms_server_to_client length: 85
mac_algorithms_server_to_client string: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
compression_algorithms_client_to_server length: 9
compression_algorithms_client_to_server string: none,zlib
compression_algorithms_server_to_client length: 9
compression_algorithms_server_to_client string: none,zlib
languages_client_to_server length: 0
languages_client_to_server string: [Empty]
languages_server_to_client length: 0
languages_server_to_client string: [Empty]
KEX First Packet Follows: 0
Reserved: 00000000
Client Algorithms
kex_algorithms length: 111
kex_algorithms string: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
server_host_key_algorithms length: 75
server_host_key_algorithms string: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
encryption_algorithms_client_to_server length: 175
encryption_algorithms_client_to_server string: aes128-cbc,aes128-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,cast128-cbc
encryption_algorithms_server_to_client length: 175
encryption_algorithms_server_to_client string: aes128-cbc,aes128-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,cast128-cbc
mac_algorithms_client_to_server length: 64
mac_algorithms_client_to_server string: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,none
mac_algorithms_server_to_client length: 64
mac_algorithms_server_to_client string: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,none
compression_algorithms_client_to_server length: 9
compression_algorithms_client_to_server string: none,none
compression_algorithms_server_to_client length: 9
compression_algorithms_server_to_client string: none,none
languages_client_to_server length: 0
languages_client_to_server string: [Empty]
languages_server_to_client length: 0
languages_server_to_client string: [Empty]
KEX First Packet Follows: 0
Reserved: 00000000
[the Fortigate simply drops the connection if it doesn't like the order or algorithms, which is somewhat less than helpful]
Is there a way to control the order of the client algorithms used by the NCM client?
[note: support cases 928417 and 927532]
↧
trouble with password aging of Cisco SG300
Hi,
we have a lot of Cisco SG300. All of them are configured with password aging.
It means after input of password there is a question "Your password has exceeded the maximum lifetime. Please change the password for better protection of your network.
Do you want to change it now (Y/N)[N]". At command line you can input "N" and then it's going on.
For automatic connection by NCM this behaviour is a problem. The connection doesn't work.
My question:
Is it possible to emulate input of "N" after input of password with changing of device template?
I know I can switch off password aging with "password aging 0" at config, but I have to do it more than 100 times (one times for each switch).
Thank you,
wolliballa
↧
How can I upload the results of the script with multiple devices in a single file?
When I used a version of NCM 7.3.2, is used for this application "Network Configuration Manager" on the server. After I made the update to version 7.4.1, this user-friendly application is not found.
↧
↧
can .bin files be used for different switches?
I'm really new to Cisco switch configurations, so i don't really know if there is a difference. I went and downloaded the newest IOS for quite a few of our switches and i noticed some of them look identical even if they are different models. For example, the C3850-24P-S and the C3850-48P both use the cat3K_caa-universalk9.SPA.03.03.03.SE.150-1.EZ5.bin. Could i use the same bin file for both of them or do I need to upload the specific one to the specific switch? I created a small script to upload these to the switches but it'd be a pain to have a different script for each version. Any other suggestions would be appreciated
↧
Node change report
Hello
I am looking to create a custom report for a 30 days period, the report needs to show me just all the nodes names and the dates of when it was last changed, I do not care about what was changed in this report just the date and that it was changed. I am also looking to export this report to excel, can someone please point me in right direction.
Many Thanks
↧
F5 and NCM backup
Hi All
Please help
My aim is to back up configs on our GTM/LTM F5. I have pretty much used all the templates I can see on this forum e.e F5 BIG IP-1.3.6.1.4.1.3375.ConfigMgmt-Commands and I get the error
.Validation Failed: An error occurred during script parsing. Position: Line 1, Character 3 Error message: mismatched character '-' expecting '=' Please check script syntax.
We are running Licensed Version 11.4.1 on the F5. I am not too familiar with F5. I do the following
......(tmos) # show running-config
Display all 235 items? (y/n) y
I have used the template assistant and have entered "y" in the RegEx, which i think it does accept but then comes back with "Unable to get Config Text". I have looked at the templates on here and really not too clear about some of the lines e.g. " <Command Name="EraseConfig" Value="write erase${CRLF}Yes"/>". Luckily it never went past the error above. I did remove the lines i did not think i will need and now left with the below:
<!--SolarWinds Network Management Tools-->
<!--Copyright 2007 SolarWinds.Net All rights reserved-->
<!--Modified 12/02/2011-->
<Configuration-Management Device="BIGIP F5 LTM" SystemOID=" 1.3.6.1.4.1.3375.2.1.3.4">
<Commands>
<Command Name="DownloadConfig" Value="show running-config all-properties"/>
<Command Name="PostCommand" Value="${ENTER}"/>
<Command Name="PostCommand" Value="y"/>
</Commands>
</Configuration-Management>
Not sure if "PostCommand" is valid.
When I log in I get this as my prompt
name@(device)(cfg-sync In Sync)(Active)(/Common)(tmos)#
Please help. I just need to back up the configs on the F5 like I do for the Cisco.
Thanks
↧
Find all NCM managed nodes and if the config is backuped
Hi all,
1st
I'd like to create a report that shows all nodes in Solarwinds and the field "Managed by NCM" with "Yes" or "No"
Which Database field do I need in a report ?
2nd
I'd like to have a report with all nodes "Managed by NCM" = "Yes" showing if the configs are backuped successfully or not.
Many thanks for any help.
Juergen
↧
↧
Identify Switch Ports in the UP status
Hi Guys
I was googling for a script to do this but can't find one. Does anyone have an NCM script to identify the ports on each Cisco switch that are UP?
I have to use NCM for this as we do not monitor all the ports in NPM.
Thanks
Brian
↧
ACS is eventually being discontinued - what are people planning on using for device management, ISE / tac_plus / etc?
At my current job we have an older version of Cisco ACS that is going EOL soon. We've started looking into upgrading to the latest Cisco ACS server, which is version 5.5 I hear. Not only is it very expensive to go above 500 devices, but Cisco is telling us that this is the very last version of Cisco ACS that will ever be put out and that they want everyone to move to ISE instead. I'm guessing that will be several years in the future, but we're hesitant at paying so much money for what could be an eventual dead-end for us.
I find it a bit funny, especially since they don't even have an ISE server that does TACACS yet, and for those of us that want the ability to do things like Shell Command Authorization Sets, that's pretty critical since Radius can't do that to my knowledge. I've noticed there are a couple TACACS alternatives out there, like tac_plus, tacacs.net and clearbox. I'm just curious what people are planning on doing on their network, or if they are already moved away from Cisco's product, what are they using?
I'd really love to see Solarwinds put out a product geared at handling device management like this, to work in concert with NCM. And preferably not stick it to us with a huge pricetag like Cisco is with both the newer ACS servers and ISE. Wonder if there are any plans for that? Would be a nice addition to their current product line.
↧
Cipher protocols supported by NCM SSH
FYI, just hit an issue following the upgrade of the OS on some of our fortigate boxes [due to the backdoor password discovery] where the ssh provided in NCM 7.3.x doesn't have an agreeable set of cipher protocols.. which leads to non-SSH connection:
Server (firewall) Algorithms
kex_algorithms length: 61
kex_algorithms string: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
server_host_key_algorithms length: 15
server_host_key_algorithms string: ssh-rsa,ssh-dss
encryption_algorithms_client_to_server length: 135
encryption_algorithms_client_to_server string: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
encryption_algorithms_server_to_client length: 135
encryption_algorithms_server_to_client string: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
mac_algorithms_client_to_server length: 85
mac_algorithms_client_to_server string: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
mac_algorithms_server_to_client length: 85
mac_algorithms_server_to_client string: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
compression_algorithms_client_to_server length: 9
compression_algorithms_client_to_server string: none,zlib
compression_algorithms_server_to_client length: 9
compression_algorithms_server_to_client string: none,zlib
languages_client_to_server length: 0
languages_client_to_server string: [Empty]
languages_server_to_client length: 0
languages_server_to_client string: [Empty]
KEX First Packet Follows: 0
Reserved: 00000000
Client Algorithms
kex_algorithms length: 111
kex_algorithms string: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
server_host_key_algorithms length: 75
server_host_key_algorithms string: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
encryption_algorithms_client_to_server length: 175
encryption_algorithms_client_to_server string: aes128-cbc,aes128-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,cast128-cbc
encryption_algorithms_server_to_client length: 175
encryption_algorithms_server_to_client string: aes128-cbc,aes128-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,cast128-cbc
mac_algorithms_client_to_server length: 64
mac_algorithms_client_to_server string: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,none
mac_algorithms_server_to_client length: 64
mac_algorithms_server_to_client string: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,none
compression_algorithms_client_to_server length: 9
compression_algorithms_client_to_server string: none,none
compression_algorithms_server_to_client length: 9
compression_algorithms_server_to_client string: none,none
languages_client_to_server length: 0
languages_client_to_server string: [Empty]
languages_server_to_client length: 0
languages_server_to_client string: [Empty]
KEX First Packet Follows: 0
Reserved: 00000000
[the Fortigate simply drops the connection if it doesn't like the order or algorithms, which is somewhat less than helpful]
Is there a way to control the order of the client algorithms used by the NCM client?
[note: support cases 928417 and 927532]
↧
Everything DISA STIGs for your Network
Introduction
This page will be the Main Page for all DISA STIG information provided by CourtesyIT. The intent is to follow this page to alert you to new content and discussions about being DISA STIG Compliant. Please feel free to message me if you would like any STIG\Vendors packages developed that are not listed here.
This page is not endorsed by DISA or Solarwinds, but merely one interpretation of the requirements. Community involvement is encouraged.
Directory
1. Getting Started
This link will be to discuss ways to get started and how this process and capability can work for you.
How to Use the Compliance Feature in Solarwinds.pdf
How to Create a Policy Report.pdf
2. How to Create a STIG Dashboard and View
This link will provide a document for you to download and build a Dashboard to show your success with the NCM Compliance feature.
3. Reports by Vendor
These links will be based on Vendor STIGs. For best results, please download these reports through NCM. Navigate via Configs Tab > Compliance > Manage Policy Reports > Shared on Thwack Tab.
Dell
4. RAW DATA
This text document is the raw data for all the rules. This document can be used as a policy or baseline for all rules in the event submission is required for the coding and configuration of you Compliance Solution.
RAW DATA DISA STIG V8R19 - Cisco
5. DISA STIG Matrix
This document is a matrix to validate which rules are applied to which type of functional device.
6. Other Customization's
This link is a random sampling of various customization's I found through some Thwackers Content pages.
How to do various customizations with your Solarwinds
..........................................................................
.........................................................................
..........................................................................
.LivingDocument. PleaseBookmark.
↧
↧
Netflow with Avaya 5520 and 4850 switches
I was wondering if anybody has setup Avaya 5520s or 4850s to be Netflow enabled? If you know any of the CMD that would be greatly appreciated.
Thanks,
Ian
↧
NCM - Baseline configurations question
I have a text file of baseline configurations for our switches, but the only thing I can see in NCM is a way to baseline a previously backed-up config. Is there a way to baseline our "ideal" configuration or do I have to use a previously backed up config for each switch?
Thanks,
joneal222
↧
Upgrade IOS using NCM?
Hello
We have over 500 switches which need an IOS upgrade and doing this one by one is going to take an age.
Is there any way we could use NCM to automate the upgrade?
Cheers
↧
F5 and NCM backup
Hi All
Please help
My aim is to back up configs on our GTM/LTM F5. I have pretty much used all the templates I can see on this forum e.e F5 BIG IP-1.3.6.1.4.1.3375.ConfigMgmt-Commands and I get the error
.Validation Failed: An error occurred during script parsing. Position: Line 1, Character 3 Error message: mismatched character '-' expecting '=' Please check script syntax.
We are running Licensed Version 11.4.1 on the F5. I am not too familiar with F5. I do the following
......(tmos) # show running-config
Display all 235 items? (y/n) y
I have used the template assistant and have entered "y" in the RegEx, which i think it does accept but then comes back with "Unable to get Config Text". I have looked at the templates on here and really not too clear about some of the lines e.g. " <Command Name="EraseConfig" Value="write erase${CRLF}Yes"/>". Luckily it never went past the error above. I did remove the lines i did not think i will need and now left with the below:
<!--SolarWinds Network Management Tools-->
<!--Copyright 2007 SolarWinds.Net All rights reserved-->
<!--Modified 12/02/2011-->
<Configuration-Management Device="BIGIP F5 LTM" SystemOID=" 1.3.6.1.4.1.3375.2.1.3.4">
<Commands>
<Command Name="DownloadConfig" Value="show running-config all-properties"/>
<Command Name="PostCommand" Value="${ENTER}"/>
<Command Name="PostCommand" Value="y"/>
</Commands>
</Configuration-Management>
Not sure if "PostCommand" is valid.
When I log in I get this as my prompt
name@(device)(cfg-sync In Sync)(Active)(/Common)(tmos)#
Please help. I just need to back up the configs on the F5 like I do for the Cisco.
Thanks
↧
↧
Download configs from Cisco and Juniper switches configured with SSH
We are doing a switch refresh. Our old Cisco and Juniper switches had telnet only enabled. The new switch stacks are only accessible through SSH and now we are unable to download configurations to our Orion database.
Is there a way we can configure Orion to do SSH and telnet?
thank you
Dwane
↧
NCM 7.4 Communication Problems
Per direction of our IA department we recently updated the self-signed certificate on our SolarWinds Application Server (Windows Server 2008 R2 Enterprise platform) from 1024 bit to 2048 bit. Here are the instructions we followed: https://thwack.solarwinds.com/community/solarwinds-community/geek-speak_tht/blog/2012/10/23/getting-certificates-up-to-speed--updating-rsa-key-security
We carefully followed the process, but now our Network Configuration Manager is broken:
1. It will not download or upload Cisco startup or running configurations. The error message we receive is: "Start Transfer Error. See NcmBusinessLayerPlugin log for details" "Fix connection in Device Template." When we click on the "Fix connection" link in the Configuration Manager/Transfer Status tab, then navigate to the General Device Access tab, and we verify the settings and press "Test," we receive the error: "Unable to connect to polling engine (server name) on the relevant server. Verify that NCM 7.4 or later is installed on the server." We are running NCM 7.4.
2. We cannot edit nodes, even if we delete them and re-add them. When we attempt to edit a node, we receive the following message: "There was an error retrieving data from SolarWinds Information Service" and "Invoke failed, check fault information."
3. We have several WMI (Windows) credentials stored. They can be verified in Settings/Windows Credentials/Manage Windows Credentials. However, when we add a new Windows Server 2008 R2 Enterprise node and select the WMI option from the Windows Servers: WMI and ICMP/Choose credential/<New Credential> arrow, no options are available. If we attempt to type the stored credential name manually, it still does not appear.
4. We CAN run default SolarWinds reports from the CONFIGS tab/Reports menu option in the web interface. However, none of our scheduled jobs will run. Everything (including the items listed above) was working fine until the certificate update.
These behaviors persist regardless of browser (Firefox 41.0.2 or Internet Explorer 10.0.32)
We opened a support case with SolarWinds three weeks ago and have been communicating with them daily via telephone and email. They have walked us through an array of troubleshooting efforts including registry fixes, but so far nothing is working.
The main log files we have been dealing with in our troubleshooting efforts are:
- BusinessLayerHost.log
- Core.BusinessLayer.log
- InformationService.log
- NcmBusinessLayerPlugin.log
- Orion.InformationService.log
- OrionPermissionChecker.log
- OrionWeb.log
The licensed products we are running are:
- Orion Platform 2015.1.2
- NCM 7.4 (NCM-NPM Integration 7.4)
- SAM 6.2.2
- NPM 11.5.2
- IPAM 4.3
- NTA 4.1.1
Also:
- DPA 10.0.0
- PM 2.1
And:
- SolarWinds Collector v2.12.38
- SolarWinds Job Engine v2.10.0
- SolarWinds Integrated Virtual Infrastructure Monitor v2.1.0
- SolarWinds Information Service v2015.1.6134
The Hot Fixes are also installed.
We are running Windows.NET Framework 4.5 and WinPcap 4.1.3.
Our SolarWinds Application Server and related servers (SQL and NTA) are located on a closed network with no direct access to the Internet.
The reason I've listed so many items is because the SolarWinds technical support and development teams have had us digging through all of them, weeding through logs, reports, program files and registry keys, and also repairing and uninstalling/re-installing nearly everything but to no avail. We are close to making a decision to completely tear down the server and rebuild it from bare-bones scratch as if it were new hardware fresh out of the box. We would really love to avoid that level of effort.
And no, we don't have the luxury of a test environment for this sort of thing, else we could have avoided this altogether in our production environment.
Has anyone else encountered this issue? If so, what was your solution?
Many thanks for your patience in reading and considering this problem.
↧
ACS is eventually being discontinued - what are people planning on using for device management, ISE / tac_plus / etc?
At my current job we have an older version of Cisco ACS that is going EOL soon. We've started looking into upgrading to the latest Cisco ACS server, which is version 5.5 I hear. Not only is it very expensive to go above 500 devices, but Cisco is telling us that this is the very last version of Cisco ACS that will ever be put out and that they want everyone to move to ISE instead. I'm guessing that will be several years in the future, but we're hesitant at paying so much money for what could be an eventual dead-end for us.
I find it a bit funny, especially since they don't even have an ISE server that does TACACS yet, and for those of us that want the ability to do things like Shell Command Authorization Sets, that's pretty critical since Radius can't do that to my knowledge. I've noticed there are a couple TACACS alternatives out there, like tac_plus, tacacs.net and clearbox. I'm just curious what people are planning on doing on their network, or if they are already moved away from Cisco's product, what are they using?
I'd really love to see Solarwinds put out a product geared at handling device management like this, to work in concert with NCM. And preferably not stick it to us with a huge pricetag like Cisco is with both the newer ACS servers and ISE. Wonder if there are any plans for that? Would be a nice addition to their current product line.
↧